2008-11-25 13:33:14 |
Jakob SigurĂ°sson |
bug |
|
|
added bug |
2008-11-25 13:33:38 |
Jakob SigurĂ°sson |
description |
Binary package hint: likewise-open
After installing likewise-open on 8.10 I am unable to change any local passwords.
The latest updates have just been applied - some updates to libpam were included but did not fix the problem.
This appears only to be the case with users with empty passwords.
<code>
jakob@ubuntu:~$ passwd
Changing password for jakob.
(current) UNIX password:
^C
passwd: Authentication token manipulation error
passwd: password unchanged
jakob@ubuntu:~$
jakob@ubuntu:~$ sudo su -
[sudo] password for jakob:
root@ubuntu:~# passwd
passwd: password updated successfully
root@ubuntu:~#
root@ubuntu:~# adduser testuser
Adding user `testuser' ...
[output cut]
root@ubuntu:~#
root@ubuntu:~#
root@ubuntu:~#
root@ubuntu:~# passwd testuser
passwd: password updated successfully
root@ubuntu:~#
</code>
The passwd commands simply prints out that "password updated successfully" message then exits. |
Binary package hint: likewise-open
After installing likewise-open on 8.10 I am unable to change any local passwords.
The latest updates have just been applied - some updates to libpam were included but did not fix the problem.
This appears only to be the case with users with empty passwords.
jakob@ubuntu:~$ passwd
Changing password for jakob.
(current) UNIX password:
^C
passwd: Authentication token manipulation error
passwd: password unchanged
jakob@ubuntu:~$
jakob@ubuntu:~$ sudo su -
[sudo] password for jakob:
root@ubuntu:~# passwd
passwd: password updated successfully
root@ubuntu:~#
root@ubuntu:~# adduser testuser
Adding user `testuser' ...
[output cut]
root@ubuntu:~#
root@ubuntu:~#
root@ubuntu:~#
root@ubuntu:~# passwd testuser
passwd: password updated successfully
root@ubuntu:~#
The passwd commands simply prints out that "password updated successfully" message then exits.
|
|
2008-11-26 10:32:23 |
Thierry Carrez |
likewise-open: status |
New |
Confirmed |
|
2008-11-26 10:32:23 |
Thierry Carrez |
likewise-open: statusexplanation |
|
Confirming...
Once likewise-open is installed (whether a domain is joined or not), running "passwd" to change a local password fails: it never prompts for a new password. (Changing a domain password works.)
It also always returns "passwd: password updated successfully"
I suppose there is something wrong in the PAM stack:
password [success=2 default=ignore] pam_lwidentity.so
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password requisite pam_deny.so
password required pam_permit.so
use_authtok forces pam_unix.so use the password entered for pam_lwidentity.so... but if the user is not in the domain there is no such token. There is little to gain in reusing passwords between pam_lwidentity.so and pam_unix.so, since they aren't targeting the same users...
As a dirty workaround "use_authtok" can be removed from /etc/pam.d/common-password:
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
(that change will be overridden next time pam-auth-update is run) |
|
2008-11-26 10:37:48 |
Thierry Carrez |
likewise-open: status |
Confirmed |
New |
|
2008-11-26 10:37:48 |
Thierry Carrez |
likewise-open: statusexplanation |
Confirming...
Once likewise-open is installed (whether a domain is joined or not), running "passwd" to change a local password fails: it never prompts for a new password. (Changing a domain password works.)
It also always returns "passwd: password updated successfully"
I suppose there is something wrong in the PAM stack:
password [success=2 default=ignore] pam_lwidentity.so
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password requisite pam_deny.so
password required pam_permit.so
use_authtok forces pam_unix.so use the password entered for pam_lwidentity.so... but if the user is not in the domain there is no such token. There is little to gain in reusing passwords between pam_lwidentity.so and pam_unix.so, since they aren't targeting the same users...
As a dirty workaround "use_authtok" can be removed from /etc/pam.d/common-password:
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
(that change will be overridden next time pam-auth-update is run) |
|
|
2008-11-26 10:38:01 |
Thierry Carrez |
bug |
|
|
assigned to pam (Ubuntu) |
2008-11-27 07:30:37 |
Thierry Carrez |
pam: status |
New |
Invalid |
|
2008-11-27 07:30:37 |
Thierry Carrez |
pam: statusexplanation |
|
Thanks for the analysis, this should indeed be fixed in pam_lwidentity.so rather than specialcasing pam_lwidentity.so in the pam stack building tools. |
|
2008-11-27 07:30:51 |
Thierry Carrez |
likewise-open: status |
New |
Confirmed |
|
2008-11-27 07:30:51 |
Thierry Carrez |
likewise-open: importance |
Undecided |
Medium |
|
2009-10-10 07:47:44 |
MikeMc |
removed subscriber MikeMc |
|
|
|
2009-10-14 14:00:18 |
Thierry Carrez |
likewise-open (Ubuntu): status |
Confirmed |
Triaged |
|
2010-03-26 16:36:51 |
James Gregory-Monk |
removed subscriber James Gregory |
|
|
|
2012-10-25 11:53:03 |
Stefan |
bug |
|
|
added subscriber Stefan Felkel |
2013-08-05 11:17:31 |
Claus Frein |
removed subscriber Claus Frein |
|
|
|